1ARPTABLES(8)                System Manager's Manual               ARPTABLES(8)
2
3
4

NAME

6       arptables - ARP table administration (legacy)
7

SYNOPSIS

9       arptables [-t table] -[AD] chain rule-specification [options]
10       arptables [-t table] -[RI] chain rulenum rule-specification [options]
11       arptables [-t table] -D chain rulenum [options]
12       arptables [-t table] -[LFZ] [chain] [options]
13       arptables [-t table] -[NX] chain
14       arptables [-t table] -E old-chain-name new-chain-name
15       arptables [-t table] -P chain target [options]
16
17

LEGACY

19       This  tool  uses  the old xtables/setsockopt framework, and is a legacy
20       version of arptables. That means that a new, more  modern  tool  exists
21       with  the  same functionality using the nf_tables framework and you are
22       encouraged to migrate now.  The new binaries (formerly known  as  -com‐
23       pat) uses the same syntax and semantics than this legacy one.
24
25       You  can  still use this legacy tool. You should probably get some spe‐
26       cific information from your Linux distribution or  vendor.   More  docs
27       are available at https://wiki.nftables.org
28
29

DESCRIPTION

31       arptables  is  a user space tool, it is used to set up and maintain the
32       tables of ARP rules in the Linux kernel. These rules  inspect  the  ARP
33       frames  which  they  see.   arptables is analogous to the iptables user
34       space tool, but arptables is less complicated.
35
36
37   CHAINS
38       The kernel table is used to divide functionality into different sets of
39       rules.  Each  set of rules is called a chain.  Each chain is an ordered
40       list of rules that can match ARP frames.  If  a  rule  matches  an  ARP
41       frame,  then  a  processing  specification  tells  what to do with that
42       matching frame. The processing specification is called a 'target'. How‐
43       ever,  if  the frame does not match the current rule in the chain, then
44       the next rule in the chain is examined and so forth.  The user can cre‐
45       ate  new  (user-defined)  chains which can be used as the 'target' of a
46       rule.
47
48
49   TARGETS
50       A firewall rule specifies criteria for an ARP frame and  a  frame  pro‐
51       cessing  specification  called  a target.  When a frame matches a rule,
52       then the next action performed by the kernel is specified by  the  tar‐
53       get.   The  target  can be one of these values: ACCEPT, DROP, CONTINUE,
54       RETURN, an 'extension' (see below) or a user-defined chain.
55
56       ACCEPT means to let the frame through.  DROP means the frame has to  be
57       dropped.   CONTINUE  means the next rule has to be checked. This can be
58       handy to know how many frames pass a certain point in the chain  or  to
59       log  those  frames.  RETURN means stop traversing this chain and resume
60       at the next rule in the previous (calling) chain.   For  the  extension
61       targets please see the TARGET EXTENSIONS section of this man page.
62
63   TABLES
64       There  is only one ARP table in the Linux kernel.  The table is filter.
65       You can drop the '-t filter' argument to the arptables command.  The -t
66       argument  must  be the first argument on the arptables command line, if
67       used.
68
69       -t, --table
70              filter, is the only table and contains two (Linux kernels 2.4.X)
71              or  three (Linux kernels 2.6.0 and later) built-in chains: INPUT
72              (for frames destined for the host), OUTPUT  (for  locally-gener‐
73              ated  frames)  and  FORWARD  (for  frames being forwarded by the
74              bridge code). The FORWARD chain doesn't  exist  in  Linux  2.4.X
75              kernels.
76

ARPTABLES COMMAND LINE ARGUMENTS

78       After  the initial arptables command line argument, the remaining argu‐
79       ments can be divided into several different groups.  These  groups  are
80       commands,  miscellaneous  commands,  rule-specifications,  match-exten‐
81       sions, and watcher-extensions.
82
83   COMMANDS
84       The arptables command arguments specify the actions to perform  on  the
85       table  defined with the -t argument.  If you do not use the -t argument
86       to name a table, the commands apply to the default filter table.   With
87       the  exception  of  the -Z command, only one command may be used on the
88       command line at a time.
89
90       -A, --append
91              Append a rule to the end of the selected chain.
92
93       -D, --delete
94              Delete the specified rule from the selected chain. There are two
95              ways to use this command. The first is by specifying an interval
96              of rule numbers to delete, syntax: start_nr[:end_nr]. Using neg‐
97              ative  numbers is allowed, for more details about using negative
98              numbers, see the -I command. The second usage is  by  specifying
99              the  complete  rule  as it would have been specified when it was
100              added.
101
102       -I, --insert
103              Insert the specified rule into the selected chain at the  speci‐
104              fied rule number.  If the current number of rules equals N, then
105              the specified number can be between -N and N+1. For  a  positive
106              number  i,  it  holds that i and i-N-1 specify the same place in
107              the chain where the rule should be inserted. The number 0 speci‐
108              fies  the  place  past the last rule in the chain and using this
109              number is therefore equivalent with using the -A command.
110
111       -R, --replace
112              Replaces the specified rule into the selected chain at the spec‐
113              ified  rule  number.   If  the current number of rules equals N,
114              then the specified number can be between 1 and  N.  i  specifies
115              the place in the chain where the rule should be replaced.
116
117       -P, --policy
118              Set the policy for the chain to the given target. The policy can
119              be ACCEPT, DROP or RETURN.
120
121       -F, --flush
122              Flush the selected chain. If no chain is  selected,  then  every
123              chain  will  be  flushed. Flushing the chain does not change the
124              policy of the chain, however.
125
126       -Z, --zero
127              Set the counters of the selected chain to zero. If no  chain  is
128              selected,  all  the counters are set to zero. The -Z command can
129              be used in conjunction with the -L command.  When  both  the  -Z
130              and -L commands are used together in this way, the rule counters
131              are printed on the screen before they are set to zero.
132
133       -L, --list
134              List all rules in the selected chain. If no chain  is  selected,
135              all chains are listed.
136
137       -N, --new-chain
138              Create  a new user-defined chain with the given name. The number
139              of user-defined chains is unlimited. A user-defined  chain  name
140              has maximum length of 31 characters.
141
142       -X, --delete-chain
143              Delete  the  specified  user-defined  chain.  There  must  be no
144              remaining references to the specified chain, otherwise arptables
145              will  refuse  to  delete it. If no chain is specified, all user-
146              defined chains that aren't referenced will be removed.
147
148       -E, --rename-chain
149              Rename the specified chain to a new name.   Besides  renaming  a
150              user-defined  chain,  you  may rename a standard chain name to a
151              name that suits your taste. For example, if you like PREBRIDGING
152              more  than PREROUTING, then you can use the -E command to rename
153              the PREROUTING chain. If you do rename one of the standard arpt‐
154              ables  chain  names,  please be sure to mention this fact should
155              you post a question on the arptables mailing lists.  It would be
156              wise  to use the standard name in your post. Renaming a standard
157              arptables chain in this fashion has no effect on  the  structure
158              or function of the arptables kernel table.
159
160
161   MISCELLANOUS COMMANDS
162       -V, --version
163              Show the version of the arptables userspace program.
164
165       -h, --help
166              Give a brief description of the command syntax.
167
168       -j, --jump target
169              The  target  of  the  rule. This is one of the following values:
170              ACCEPT, DROP, CONTINUE, RETURN, a target extension  (see  TARGET
171              EXTENSIONS) or a user-defined chain name.
172
173       -c, --set-counters PKTS BYTES
174              This enables the administrator to initialize the packet and byte
175              counters of a rule (during INSERT, APPEND, REPLACE operations).
176
177
178   RULE-SPECIFICATIONS
179       The following command line arguments make up a rule  specification  (as
180       used  in the add and delete commands). A "!" option before the specifi‐
181       cation inverts the test for that specification. Apart from these  stan‐
182       dard rule specifications there are some other command line arguments of
183       interest.
184
185       -s, --source-ip [!] address[/mask]
186              The Source IP specification.
187
188       -d, --destination-ip [!] address[/mask]
189              The Destination IP specification.
190
191       --source-mac [!] address[/mask]
192              The source mac address. Both mask and address are written  as  6
193              hexadecimal numbers separated by colons.
194
195       --destination-mac [!] address[/mask]
196              The  destination  mac address. Both mask and address are written
197              as 6 hexadecimal numbers separated by colons.
198
199       -i, --in-interface [!] name
200              The interface via which a frame is received (for the  INPUT  and
201              FORWARD chains). The flag --in-if is an alias for this option.
202
203       -o, --out-interface [!] name
204              The  interface  via  which  a frame is going to be sent (for the
205              OUTPUT and FORWARD chains). The flag --out-if is  an  alias  for
206              this option.
207
208       -l, --h-length length[/mask]
209              The hardware length (nr of bytes)
210
211       --opcode code[/mask]
212              The  operation  code  (2 bytes). Available values are: 1=Request
213              2=Reply   3=Request_Reverse   4=Reply_Reverse    5=DRARP_Request
214              6=DRARP_Reply 7=DRARP_Error 8=InARP_Request 9=ARP_NAK.
215
216       --h-type type[/mask]
217              The  hardware type (2 bytes, hexadecimal). Available values are:
218              1=Ethernet.
219
220       --proto-type type[/mask]
221              The protocol type (2 bytes). Available values are: 0x800=IPv4.
222
223
224   TARGET-EXTENSIONS
225       arptables extensions are precompiled into the userspace tool. So  there
226       is  no  need to explicitly load them with a -m option like in iptables.
227       However, these extensions deal with functionality supported by  supple‐
228       mental kernel modules.
229
230   mangle
231       --mangle-ip-s IP address
232              Mangles Source IP Address to given value.
233
234       --mangle-ip-d IP address
235              Mangles Destination IP Address to given value.
236
237       --mangle-mac-s MAC address
238              Mangles Source MAC Address to given value.
239
240       --mangle-mac-d MAC address
241              Mangles Destination MAC Address to given value.
242
243       --mangle-target target
244              Target  of  ARP  mangle  operation  (DROP, CONTINUE or ACCEPT --
245              default is ACCEPT).
246
247   CLASSIFY
248       This  module  allows you to set the skb->priority value (and thus clas-
249       sify the packet into a specific CBQ class).
250
251
252       --set-class major:minor
253
254              Set the major and minor  class  value.  The  values  are  always
255              interpreted as hexadecimal even if no 0x prefix is given.
256
257
258   MARK
259       This  module  allows you to set the skb->mark value (and thus  classify
260       the packet by the mark in u32)
261
262
263       --set-mark mark
264              Set  the  mark  value.  The   values  are  always interpreted as
265              hexadecimal even if no 0x prefix is given
266
267
268       --and-mark mark
269              Binary AND the mark with bits.
270
271
272       --or-mark mark
273              Binary OR the mark with bits.
274
275

MAILINGLISTS

277       See http://netfilter.org/mailinglists.html
278

SEE ALSO

280       iptables(8), ebtables(8), arp(8), rarp(8), ifconfig(8), route(8)
281
282       See http://ebtables.sf.net
283
284
285
286                                   June 2018                      ARPTABLES(8)
Impressum